AppNote

Installing and Configuring subversion-server and apache2 with LDAP authentication against eDirectory

Author Info

10 July 2008 - 10:46am
Submitted by: jhhut

Author Blog
Author Profile

Tags

Tags Map
appnote
Reads:

2589

Score:
5
5
2
 
Comments:

0

Jon Hardman
Software Engineer II
Identity Manager Resource Kit

Table of Contents

Overview

An exciting new feature of Designer 3 is the ability to use the subversion version control system to manage Designer projects. This allows you to track a project's history, see who made the changes, and roll-back to previous revisions if necessary. The Designer help files describe how to set up a local, windows subversion server to keep your Designer projects on your local machine. In most enterprises, however, a centrally accessible, server-based subversion server is desirable. This document describes how to set up an apache2, http subversion server that can authenticate against your LDAP server (preferably eDirectory) to host your Designer projects, which can be updated, check-out, etc., from multiple clients.

    Operating System:
            SUSE Linux Enterprise Server 10 SP2 (SLES10SP2)
            SUSE Linux Enterprise Server 10 Software Development Kit SP2 (sle-10-sdk-sp2)
    eDirectory version:
            eDirectory 8.8.2 for Linux
    Identity Manager version:
            IDM 3.5.1 for Linux (optional)
    Apache and Subversion:
            apache2.2.3-16.18
            subversion1.3.1-1.5
    Designer version:
            Designer for Identity Manager v3

Prerequisites

SUSE Linux Enterprise Server 10 SP2 i386 architecture
SUSE Linux Enterprise Server 10 Software Development Kit SP2 (sle-10-sdk-sp2)

eDirectory 8.8.2 installation files (archive or iso)

Installation source for SUSE Linux Enterprise Server 10 Software Development Kit SP2

This article assumes a working knowledge of SUSE Linux and eDirectory in general.

Installation and Configuration


SUSE Linux

  1. Install SLES 10 SP2 i386. For software pattern installation, select the default installation.


eDirectory (for stand-alone configuration)

Note: You can also authenticate against an existing eDirectory instance 'over the wire' if you have one available in your environment. If this is the case, you can skip this section.


Installation:

  1. Download eDirectory 8.8.2 iso from download.novell.com
  2. “su” to root ('su' in console, enter root password)
  3. Mount the eDirectory installation .iso as /media/cdrom ('mount -t iso9660 -o loop eDir_882.iso /media/cdrom')
  4. “cd” into /media/cdrom (this may also be “/media/cdrom/eDirectory/setup”, depending on the eDirectory version) ('cd /media/cdrom')
  5. execute './nds-install'. Select options 1 and 2 for full eDirectory installation.

    eDirectory installation is now complete. You can now configure your eDirectory tree using the eDirectory utility 'ndsconfig'.


eDirectory Configuration:

  1. First, you must set your system PATH for the nds binaries/libraries by issuing command '. /opt/novell/eDirectory/bin/./ndspath' in the console. (Note that the command starts with dot-space)
  2. Now configure your eDirectory tree from the command line using ndsconfig; i.e. 'ndsconfig new -t MYTREE -a cn=admin.o=novell -n o=novell -S myserver -i -e -D /var/opt/novell/instance0 -d /var/opt/novell/instance0/data/dib -w password --config-file /var/opt/novell/nds0.conf' (The '-i' option ignores duplicate tree lookup, '-e' enables ldap clear-text password.
  3. Once eDirectory configuration is complete, you can verify ndsd is up and running with 'ndsstat'.


Add SLE-10-SDK-SP2 installation source

Download SLES10 SDK SP2 and set it as an installation source:

  1. Download SLES 10 SDK SP2 from download.novell.com
  1. http://download.novell.com/Download?buildid=eRAdQt...
  2. Save DVD1 and DVD2 to your local file system
  3. Start 'yast2' and add DVD1.iso as an installation source
  4. Finish


Install Apache2 and subversion-server software

Install required software

  1. “rug in apache2 apache2-doc neon subversion-server”
  2. Finish installation
  3. create subversion group and user
    1. (su) groupadd -r svn; useradd -r -g svn -d /srv/svn -s /bin/false svn


Configure apache2 and subversion

  1. enable the needed apache2 modules from the command line
    1. (su) a2enmod dav
    2. (su) a2enmod dav_svn
    3. (su) a2enmod ldap
    4. (su) a2enmod authnz_ldap
  2. Configure subversion server for apache2
    Each repository requires its own entry in the /etc/apache2/conf.d/subversion.conf file. For ease of use, etc., we will configure 1 'parent' repository, and then create 'child' projects below the parent for the Designer projects.
  3. Configure the parent repository
    1. Using a text editor (vi in this case), run: (as root) “ vi /etc/apache2/conf.d/subversion.conf”
    2. subversion.conf should read as follows:
    # Example configuration for a subversion repository 
# see /usr/share/doc/packages/subversion for the full documentation 
# 
<IfModule mod_dav_svn.c> 
<Location /repos> 
   DAV svn  
   SVNParentPath /srv/svn/repos 
   SVNListParentPath on 

#   # Limit write permission to list of valid users. 
   <LimitExcept GET PROPFIND OPTIONS REPORT> 
#      # Require SSL connection for password protection. 
#      # SSLRequireSSL 
# 
      AuthBasicProvider ldap 
      AuthType Basic 
      AuthName "LDAP Authorization Realm" 
        AuthLDAPURL ldap://127.0.0.1:389/OU=users,O=company,DC=data
        require ldap-attribute objectClass=user 
   </LimitExcept> 
</Location>
</IfModule>

    In this case, the subversion location will be /srv/svn/repos, the ldap server is 127.0.0.1:389 (clear-text ldap), and the users are in the container OU=users,O=company, DC=data

    Without the SVNListParentPath directive, you cannot go to the repositories' index page - you will get an 'Access Forbidden' response.


Create parent subversion repository

Create and configure the subversion repository

  1. (su) mkdir -p /srv/svn/repos
  2. Restart apache2 (rcapache2 restart)
  3. Set up a project repository (mydesignerprojects, for example)
    1. 'svnadmin create /srv/svn/repos/mydesignerprojects'
    2. chown -R wwwrun:www /srv/svn/repos/mydesignerprojects/


    Enable https for apache2 (optional)

    1. Run 'gensslcert' to generate new, valid certs
    2. copy /etc/apache2/vhosts.d/ssl-vhost.template /etc/apache2/vhosts.d/ssl-vhost.conf
    3. rcapache2 restart -DSSL
    4. You may need to copy the https certificate files to your Designer client in order to avoid prompts from the Designer svn client (There is an option to save the certificate information on the initial check-in, check-out via https)


    Enabling ldaps secure ldap authentication (optional)

    See http://httpd.apache.org/docs/2.2/mod/mod_ldap.html

    Check in Designer projects

    1. In Designer, from either the outline or project view, select 'Check In...'
    2. For the 'repository location', enter the parent svn repository created in step 5.1 above (http://server.ipaddress.or.hostname/repos/mydesign...)
    3. For the 'project name', you may enter whatever identifier you like (project1)
    4. Enter a comment (i.e. initial checkin) and hit OK
      1. You will be prompted for a username and password. The username will be the eDirectory RDN (no context or 'cn=') of a user in the LDAP context listed in the subversion.conf file and the password is the user's eDirectory password.
      2. Your project will be added to the mydesignerprojects svn repository.


    Check out Designer projects

    You (or your colleagues) can now check-out projects that have been added to the subversion repository from other Designer clients.

    1. From Designer menu, 'Project ? Import Project ? Version Control...'
    2. Version control URL or file path is “http://yoursubserver/repos/mydesignerprojects/”
      1. You should now see a list of your Designer projects in the lower Designer pane.
      2. Expand the project you wish to 'check out', highlight the project icon, and hit the Finish button.
      3. The project will be imported from the subversion server to your Designer workspace and opened in Designer's project view.

    Conclusion

    You now have a web-based, centrally accessible subversion server with which you can use version control to track your Designer/IDM projects. Further enhancements can be made to the version control system to control access rights, group membership, etc., which are beyond the scope of this document. For enterprise deployments or multiple user consulting projects, Designer's version control feature is an extremely powerful tool to enable team collaboration.


Author Info

10 July 2008 - 10:46am
Submitted by: jhhut

Author Blog
Author Profile

Tags

Tags Map


Related Articles


User Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <p> <a> <em> <i> <cite> <code> <img> <ul> <ol> <li> <div> <dl> <dt> <dd> <b> <strong> <h1> <h2> <h3> <pre> <table> <td> <tr> <th> <blockquote>
  • Lines and paragraphs break automatically.
  • Glossary terms will be automatically marked with links to their descriptions. If there are certain phrases or sections of text that should be excluded from glossary marking and linking, use the special markup, [no-glossary] ... [/no-glossary]. Additionally, these HTML elements will not be scanned: a, abbr, acronym, code, pre.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
1 + 15 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

© 2008 Novell, Inc. All Rights Reserved.